A security flaw in Skype's updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full "system" level rights -- granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won't immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

"Windows provides multiple ways to do it," he said. But DLL hijacking isn't limited to Windows, he said -- noting that it can apply to Macs and Linux, too.

Once "system" privileges are gained, an attacker "can do anything," Kanthak said.

"'System' is 'administrator' on steroids," he added.

From there, an attacker could steal files, delete data, or hold data hostage by running ransomware.

Kanthak informed Microsoft of the bug in September, but the software giant said issuing a fix would require the updater go through "a large code revision."

The company told him that even though engineers "were able to reproduce the issue," a fix will land "in a newer version of the product rather than a security update."

Instead, the company said it's put "all resources" on building an altogether new client.

Skype might be an unsuspecting app to target a user, because the app runs at the same level of privileges at the local, logged-in user, making it difficult for attackers to do much with that low level of access. To cause any kind of damage of worth, you need to be an administrator or above -- like the "system" user.

But Skype has previously fallen victim to malvertising attacks that could open up the system to damage, if this escalation of privilege bug is exploited.

When reached, a Microsoft did not have comment. If that changes, we'll update.

Share this post

Link to post

Share on other sites

Who'll use crap Skype destroyed by MS? We all aware of the past and current MS botched updates and crappy activities. Telegram is much better since they fixed the bug in desktop app before the news is out. Only thing is these open-source privacy oriented apps need support to make new features added.
It is the power of open source and community with privacy & security at first similar to Linux.

Share this post

Link to post

Share on other sites

There’s a security flaw in Skype which is apparently too hard to fix right now

Microsoft will build the fix into a future version of Skype

There’s a gaping hole in Skype’s update installer which could potentially allow an attacker to gain full control over the host machine, and what’s more, this isn’t something Microsoft can patch against right now, with the software giant having to put off the fix until a future version of the Skype app is rolled out.

The flaw was uncovered by a security researcher, Stefan Kanthak, who found that the Skype update installer can be exploited with a DLL hijacking technique, which fools the app into utilizing malicious code rather than Microsoft’s intended code.

The good news, such as it is, is that leveraging this is far from a trivial affair, but on the other hand, the researcher told ZDNet (which reported this affair) that the attack could be “easily weaponized”.

There are multiple possible paths of exploit on Windows, as outlined by Kanthak, who further observed that this isn’t specific to Microsoft’s desktop OS, with macOS and Linux users also potentially vulnerable to these DLL hijacking shenanigans.

Malware mayhem

The bug allows the attacker to gain system-level privileges, meaning the potential havoc that can be wreaked pretty much runs the entire gamut of malicious activity, from stealing or deleting files to installing malware on the host PC.

Perhaps the worse-still news for Skype users is that Microsoft can’t actually patch the current Skype software to defend against the exploit, because to do so would essentially involve a massive revision of the updater’s code – apparently so big that it’s impractical to consider.

The researcher told Microsoft about the flaw last September, and said that the software giant was able to reproduce the issue, and rather than patching with a security update now, is planning to build the fix into a later version of Skype.

So, the bottom line is Skype users will remain potentially vulnerable to this cross-platform bug for the foreseeable future, which isn’t an ideal situation, obviously.

And if that prospect is prompting you to consider alternatives to Microsoft’s software for the time being, we’ve rounded up the best free Skype alternatives right here.